Security Appliance Radius Authorization Attributes - Cisco FirePOWER ASA 5500 series Configuration Manual

Appendix E Configuring an External Server for Authorization and Authentication
•
Step 2 Set up the users or groups with the permissions and attributes to send during IPSec/WebVPN tunnel
establishment. The permissions or attributes might include access hours, primary DNS, banner, and so
forth.

Security Appliance RADIUS Authorization Attributes

Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as
Note
an authentication server enforces permissions or attributes if they are configured.
Table E-4
authorization.
Table E-4 Security Appliance Supported RADIUS Attributes and Values
Attribute Name
Access-Hours
Simultaneous-Logins
Primary-DNS
Secondary-DNS
Primary-WINS
Secondary-WINS
SEP-Card-Assignment
Tunneling-Protocols
IPSec-Sec-Association
OL-10088-01
For other vendors' RADIUS servers (for example, Microsoft Internet Authentication Service): you
must manually define each security appliance attribute. To define an attribute, use the attribute name
or number, type, value, and vendor code (3076). For a list of security appliance RADIUS
authorization attributes and values, see
lists all the possible security appliance supported attributes that can be used for user
VPN
3000 ASA PIX
Y
Y
Y
Y
Y
Y
Y
Y
Table E-4.
Attr. Syntax/
# Type
Y Y 1 String
Y Y 2 Integer
Y Y 5 String
Y Y 6 String
Y Y 7 String
Y Y 8 String
9 Integer
Y Y 11 Integer
12 String
Cisco Security Appliance Command Line Configuration Guide
Configuring an External RADIUS Server
Single
or
Multi- Single or Multi-
Valued Valued
Single Name of the time range, e.g.,
Business-hours
Single An integer 0 to 2147483647
Single An IP address
Single An IP address
Single An IP address
Single An IP address
Single Not used
Single 1 = PPTP
2 = L2TP
4 = IPSec
8 = L2TP/IPSec
16 = WebVPN
4 and 8 are mutually exclusive,
(0-11, 16-27 are legal values)
Single Name of the security
association
E-25